Okay, so ... I know someone might, but really who will audit any of his existing code?
(Sure, that's slightly different than identifying such an auto-update point and then trying to do a supply-chain attack. But do maintainers look at what they package? In how much detail?)
That's the point of packaging it... you review it at the time that you package it, and then you review it each time you update it in the future. Should always do a simple diff at minimum to see what changed. That's just part of being a responsible open source user.
The open source user they're referring to is the package creator, not the package installer. The package creator takes responsibility for the software they package. I sure hope they check the diff. I certainly do for the packages I maintain.
But is that an audit? How much does that worth against a determined and skilled adversary? I mean if they quickly do a lot of big changes they can easily drown packagers/reviewers, and then slipping something through becomes a waiting game.
Home Assistant's core developers really do look at the intergration plugins rather closely before they accept any pull request that updates the dependencies. This is needed as badly coded integration libraries really can negatively impact the stability and performance of the whole system.
It is not uncommon to see them request changes to the bumped library to fix any issues they have noticed.
